github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update rules to 1.6.0.

Browse Source
This commit is contained in:
brectanus 2008-02-19 15:21:33 +00:00
parent e4eaade2ca
commit bdc746baff
16 changed files with 23 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rules/CHANGELOG
View File

@ -1,6 +1,6 @@
------------------------------
Version 1.6.0-rc3 - 2008/02/11
------------------------------
--------------------------
Version 1.6.0 - 2008/02/19
--------------------------
New Rulesets & Features:
- 42 - Tight Security

4
rules/modsecurity_crs_10_config.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -114,7 +114,7 @@ SecServerSignature "Apache/2.2.0 (Fedora)"
# Add ruleset identity to the logs
#
SecComponentSignature "core ruleset/1.6.0-rc3"
SecComponentSignature "core ruleset/1.6.0"
## -- File uploads configuration -----------------------------------------------
# Temporary file storage path.

6
rules/modsecurity_crs_20_protocol_violations.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -15,10 +15,6 @@
#
#
# Use status code 400 response status code by default as protocol violations
# are in essence bad requests.
SecDefaultAction "log,pass,phase:2,status:400"
# Validate request line
#
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \

6
rules/modsecurity_crs_21_protocol_anomalies.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -14,10 +14,6 @@
# the request such as URL and not allow the violation generally.
#
# Use status code 400 response status code by default as protocol violations
# are in essence bad requests.
SecDefaultAction "log,pass,phase:2,status:400"
# Do not accept requests without common headers.
# Implies either an attacker or a legitimate automation client.
#

4
rules/modsecurity_crs_23_request_limits.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -16,8 +16,6 @@
# Uncomment the rules you need
#
SecDefaultAction "pass,log,status:400,phase:2"
## -- Arguments limits --
# Limit argument name length

2
rules/modsecurity_crs_30_http_policy.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2

4
rules/modsecurity_crs_35_bad_robots.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -15,8 +15,6 @@
# reduction, eliminating most of the random attacks against your web
# site.
SecDefaultAction "log,pass,phase:2,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \
"deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \

4
rules/modsecurity_crs_40_generic_attacks.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -17,8 +17,6 @@
# application requires exceptions for a specific URL, Pattern or source IP
# before moving to blocking mode.
SecDefaultAction "log,pass,phase:2,status:500,t:none"
#
# Session fixation
#

4
rules/modsecurity_crs_45_trojans.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -27,8 +27,6 @@
# Trojans upload to file uploading inspection.
#
SecDefaultAction "log,pass,phase:2,t:lowercase,status:404"
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
SecRule REQUEST_FILENAME "root\.exe" \
"t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"

4
rules/modsecurity_crs_50_outbound.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -13,8 +13,6 @@
# of this status code which normally refers to unsupported HTTP methods.
# It is used in order to confuse automated clients and scanners.
SecDefaultAction "log,pass,status:501,phase:4,t:none"
# Statistics pages revealed
SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \

6
rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -15,10 +15,6 @@
#
#
# Use status code 400 response status code by default as protocol violations
# are in essence bad requests.
SecDefaultAction "log,pass,phase:2,status:400"
# Validate request line
#
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \

6
rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -14,10 +14,6 @@
# the request such as URL and not allow the violation generally.
#
# Use status code 400 response status code by default as protocol violations
# are in essence bad requests.
SecDefaultAction "log,pass,phase:2,status:400"
# Do not accept requests without common headers.
# Implies either an attacker or a legitimate automation client.
#

4
rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -17,8 +17,6 @@
# application requires exceptions for a specific URL, Pattern or source IP
# before moving to blocking mode.
SecDefaultAction "log,pass,phase:2,status:500,t:none"
#
# Session fixation
#

12
rules/optional_rules/modsecurity_crs_42_comment_spam.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -16,19 +16,17 @@
# more noticable in search results.
#
SecDefaultAction "log,pass,phase:2,status:501,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
# Prequalifier. Look for <http> first
SecRule ARGS|ARGS_NAMES "\bhttp:" "skip:1,pass,nolog,id:'999010',severity:'5'"
SecRule ARGS|ARGS_NAMES "\bhttp:" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'5'"
SecAction pass,nolog,skipAfter:999011
# Look for 2 ways of posting a link
SecRule ARGS|ARGS_NAMES "\[url\b" "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
SecRule ARGS|ARGS_NAMES "\[url\b" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
SecRule ARGS|ARGS_NAMES "\<a"
# Look for too many links in argument (Prone to FPs)
SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
SecAction "pass,nolog,id:'999011',severity:'5'"
SecMarker 999011

4
rules/optional_rules/modsecurity_crs_42_tight_security.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -15,8 +15,6 @@
# many legit requests.
#
SecDefaultAction "log,pass,phase:2,status:400,t:none"
#
# Directory Traversal
#

4
rules/optional_rules/modsecurity_crs_55_marketing.conf
View File

@ -1,5 +1,5 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Core ModSecurity Rule Set ver.1.6.0
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
@ -11,8 +11,6 @@
# monitoring and logging HTTP transactions.
# --
SecDefaultAction "log,pass,phase:2,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
"log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'"